Jump to content

SSL made easy


MikeB111

Recommended Posts

MikeB111

Hey Everyone,

 

My journey from Plex to Emby has been pretty smooth with the exception of setting up SSL encryption.  There are lots of great posts on this forum and elsewhere on how to do this, and I consider myself pretty computer literate.  But I'll be honest, this was a bit overwhelming for me as I have no experience at all in hosting web servers, DNS, or encryption certificates.  After many hours, I've got it all working, so I thought I'd share what I've learned. 

 

I'm going to try to write this for the newbie, so don't be offended if it seems like I'm explaining lots of simple stuff.  That's really what I needed a week ago, so maybe it'll help someone else in my shoes.  Also, this is for Windows, although most of it applies to any OS.  There's lots of text, but it's really very easy.

 

Let me also say, I understand that a reverse proxy gives you lots of benefits and flexibility for securing your server.  But that was a step too far for me.  If you want a reverse proxy this post is not for you, but there are many posts in this forum to help you.

 

If you want to access your Emby server from outside your home network you will want to require secure connection mode for all remote connections (see "Network" tab in Emby server configuration).  To do this you need an SSL certificate.  To get an SSL certificate you must have your own registered domain name.  Here's a step-by-step.

 

Domain Name Registration

 

A domain name is the readable text part of a web address.  So emby.media, or google.com, or media.yourdomain.net.  Most home users don't have one, but you need one to get an encryption certificate.  While there are many options for purchasing a domain (godaddy.com being very popular), I chose to buy my domain from domains.google.  It cost me $12/year, and this is the only cost to getting your Emby server working with encryption.  Go to https://domains.google, pick a domain, pay your money, and you're ready to go.  For the rest of this discussion let's say you registered the domain name yourdomain.net.

 

Now you need to associate your new domain with your home IP address.  Most home users get their IP address assigned to them by their internet provider and it is "dynamic," meaning it can change.  So you need to be able to tell your domain provider what your address is and update it when it changes.  This can be done automatically, and is called dynamic DNS (DDNS).  Google domains supports this easily, here is the help page explaining how to set it up.  Fortunately, my ASUS router has this capability built in so it was easy, but it's easy even if your router doesn't (follow google's directions). 

 

That's it for domain name registration.  Now yourdomain.net points to your home network IP address.

 

SSL Certificate

 

Now you need to get an SSL certificate.  This has the encryption keys you need, and must be issued by a recognized certificate authority or it gets blocked by your browser.  Lets Encrypt will give you a free SSL certificate but it has to be renewed every 90 days.  This was the part I was most confused by, but it's actually really easy.  The part to understand is that Lets Encrypt must have some way of proving you own your domain name before they can issue you a certificate.  There are two options, 1) they give you a little text file to place on your web server in a certain location.  I don't have a web server so this is a no-go.  2) They give you a text string to add to your DNS registration in what is called a "TXT Record."  You do this with google domains, it's very easy.

 

To get a certificate you need an ACME client program that knows how to talk to the lets encrypt server.  They recommend certbot, but it doesn't work in windows. Dig enough and you'll find ZeroSSL, they have a nice downloadable program that does it all and is really easy.  Download here.  Make a directory on your computer (I used c:\ZeroSSL).  Put the le64 (or 32) exe in this directory.  A single command will create your certificate.  I think the easiest way to do this is create a text file in the same folder as the program, call it "get_cert.bat" and put the following three lines of text in the file.  Edit the second line to have your actual domain name (instead of "yourdomain.net"), and to have your actual password for your PFX file (whatever you want it to be, just replace "yourpasswordhere" in the code below.

@[member="Echo"] off
le64 --key account.key --csr domain.csr --csr-key domain.key --crt certificate.csr --domains "yourdomain.net" --generate-missing --handle-as dns --export-pfx “yourpasswordhere” --live
pause

Save the text file as get_cert.BAT and then double click it to run.  This runs the le64 program, creates the public/private key pair, asks lets encrypt to generate a certificate, saves that certificate, and converts it to a PFX file format that Emby requires.  All in one command!  When you run this, a command window will appear and you can see what it's doing.  After a few seconds it'll pause and ask you to place the TXT record in your domain.  It gives you a name and value, the name will be something like _acme-challenge.yourdomain.net, and the value will be a bunch of random letters and numbers.  The program pauses here for you to put this into your domain.

 

So now you just log in to your google domain again, go to "DNS" on the left menu, scroll all the way down and enter a "Custom Resource Record."  The type is TXT, the name and value are what le64 gave you.  Put them in, wait a few minutes for the change to take effect (took just a couple of minutes for me).  Then go back to the command window where le64 is running and press enter to continue.  It'll then verify your TXT record is there and issue your certificate.  You'll find a file certificate.pfx in the le64 directory, that's it!

 

Emby Setup

 

Now log in to your Emby server setup.  Go to "Network," in the field "External Domain" you put your domain name, so yourdomain.net or whatever you chose.  For "Custom SSL certificate path," browse to the .pfx file that was created by the le64 program.  In the "Certificate Password" field put whatever password you used in the .BAT file above when you created your certificate.  Then for "Secure Connection Mode" I recommend you choose "Required for all remote connections." 

 

You also have to log in to your home router and forward port 8920 to the computer running your Emby server.  I'm not going to give directions on how to do this, it depends on your router, but it's super easy.

 

That's it.  You need to restart your Emby Server, and then you're done!  You can now access your server remotely and securely at https://yourdomain.net:8920. 

 

Certificate Renewal

 

Now, I mentioned before that the Lets Encrypt certificates are only good for 90 days.  So every 90 days you have to renew the certificate.  Take that "get_cert.bat" file you made earlier and make a copy of it called renew_cert.bat.  At the end of the second line, just add the text "--renew 20" (without the double quotes).  When you are within 20 days of your expiration date run this file, it'll renew your certificate.  I believe it'll ask you to place a new TXT record in your domain, so certificate renewal cannot be made fully automatic.  You'll have to run it manually and add this TXT record into your google domain just like when you created the certificate in the first place.  But it takes just a few minutes and then your certificate is renewed.  You'll have to restart your Emby server for it to take.  The file locations all stay the same, so you don't have to update anything in the Emby setup, just restart Emby.  That's it!

 

Well, I hope this helps someone.  Sorry for the long post.  I would have benefited from this level of detail a week ago, so maybe it'll be good for someone.  If anyone sees something wrong here, feel free to correct me. 

 

 

  • Like 19
  • Thanks 13
Link to comment
Share on other sites

MikeB111

One other comment.  I didn't do this in my original post because I prefer to just keep track of my renewal schedule on my own.  But if you want, you can add this to your le64 command line when getting or renewing the SSL certificate (don't remove anything else that was there, just add this to the rest of the command):

--email "my@email.com"

It will register your email address with Lets Encrypt (substitute your real email address in place of my@email.com of course).  Then I understand that they will email you a reminder when your certificate is about to expire.  It's a nice way to be sure you don't let time slip away from you and suddenly find your certificate expired.

 

  • Like 1
Link to comment
Share on other sites

BAlGaInTl

Great guide.

 

The only comment that I would make is that I've been steering people more towards using Cloudflare's free service for the certificate.

 

It's a couple of extra steps in the beginning, but then you don't have to worry about updating every 90 days.  You get the added bonus of some protections that Cloudflare builds in to its service.

  • Like 1
Link to comment
Share on other sites

Great guide.

 

The only comment that I would make is that I've been steering people more towards using Cloudflare's free service for the certificate.

 

It's a couple of extra steps in the beginning, but then you don't have to worry about updating every 90 days.  You get the added bonus of some protections that Cloudflare builds in to its service.

 

Hi.  Would you mind providing those extra steps in here?

 

Thanks.

Link to comment
Share on other sites

BAlGaInTl

Hi.  Would you mind providing those extra steps in here?

 

Thanks.

 

I'll see what I can do.  I've pieced it from around the web.  I'll do what I can to provide some instructions and links to the info I found.

 

I always wondered though.... why does Emby use the single certificate rather than the default cer and key files that are most often provided.  I'm sure there is a reason for that.  I just don't know what it is.  Other web applications I've used just provide an interface for you to select those files and "upload" them.

  • Like 1
Link to comment
Share on other sites

MikeB111

While the approach outlined in this post works great, it does require you to renew your certificate every 3 months.  As described, this is super easy, run a script, post your TXT record in your DNS provider.  But if you're interested in a method to get SSL encryption without any maintenance, check out my new post on using a reverse proxy (Caddy in this case).  It's not really much harder to set up, and renewals are fully automated.

 

Here's the post.

 

Both approaches work, you may have a personal preference that causes you to choose one or the other.  But having different options is always a good thing!  Thanks!

Link to comment
Share on other sites

Spaceboy

I used to use caddy but stopped because of the need to manually renew certs. While it may sound super easy for me as a user it wasn’t.

 

I went the nginx plus cloudflare route which gives me a ssl cert with a much much much longer expiry date

 

Other than that I liked caddy

  • Like 1
Link to comment
Share on other sites

pwhodges

The whole point of Caddy is that it handles the certs completely automatically for you - it's easy, as in, you never have to do anything, not even an initial application - both the initial set up and the three-monthly renewals are completely transparent.

 

It is possible to get your own certificate and install it manually, but that's a deliberate decision to override the automation.

 

I have at least a dozen certificates, and never give them a thought.  I have even arranged for the cert for my mailserver to be handled by Caddy and copied by a scheduled task to the mailserver when it updates.

 

If you prefer to use Apache or nginx, then install certbot to handle the certificate installation and renewal in the same way.

 

Paul

Edited by pwhodges
Link to comment
Share on other sites

  • 3 weeks later...

be aware if on a domain (for example with a server 2012r2 RWA server AND an exchange server that use ssl) this can cause issues. you pretty much need to use proxy off RWA IIS server then hope lets encrypt does not balk due to the RWA server proxy to emby machine.

easiest bet is to use non-std port NAT it off router and, on windows machines with iis, generate a cert req and spend 12$ a year on a comodo or rapidssl cert from a reseller.

Link to comment
Share on other sites

pwhodges

If you can't get port 80 access for Let's Encrypt to authenticate your server with, then you can set up a DNS challenge against most DNS providers instead.  This mechanism is available in Caddy (though you have to download a build with the correct DNS provider selected).

 

Paul

Link to comment
Share on other sites

much easier (for me) to spend 20 minutes every 2 years (I do my certs as 2 years) then just NAT router setup A record to WAN ip in dyndns pro (or whatever service you use) and be done.

the A record takes 2 minutes to do cert takes 20 or so. no program installs to do. but I am used to doing on IIS machines here, 2 email servers (one fpr xeams spam control other exchange server) as well as the domain controller.

 

edit: clarified easier for ME as I do multiple machines at once with exchange autodiscover service

Edited by dmacleo
Link to comment
Share on other sites

pwhodges

"Much easier"?  I don't need to spend 20 minutes every two years, nor to pay the cost.  For no effort after installation, my Caddy server currently maintains seventeen certificates, and acquires new ones for me when required to match any web site I create - all entirely automatically.

 

Paul

Link to comment
Share on other sites

messed with caddy a bit but had issues with autodiscover on exchange especially when integrated with a server essentials server,could not get a caddy file to work with all aspects only some, so I have to deal with them anyways so it is much easier for me (thought I had said for me when I typed that yesterday will correct that) to just do 4-5 machines at once.

flip side...use lets encrypt on 2 (maybe 3 cannot remember right now) centos servers I deal with and for that stuff running on them (no esoteric setups or stuff like exchange autodiscover) and the directadmin plugin works great automatically for domains on them.

been meaning to try caddy on nginx rev proxy servers just not had chance to yet.

Link to comment
Share on other sites

  • 1 month later...
  • 2 weeks later...
scharbag

Thank you for this.

 

When I force it to renew (set --renew 90) it seems to update fine without requiring me to update the challenge TXT file.  IIRC, even using the web interface, you do not need to update the challenge TXT when you renew.

 

So, if that is the case, we should just be able to schedule the batch file every week and it "should" just update right?  Emby will still need to be restarted?  Or if the certificate.pfx is updated, does Emby automatically update the SSL info?

 

Cheers,

Edited by scharbag
Link to comment
Share on other sites

  • 2 weeks later...
RDSII64

Do I also have to change the DNS server from what my ISP uses to the ones google uses? So far following these instructions isn't working.

Link to comment
Share on other sites

RDSII64

Do I also have to change the DNS server from what my ISP uses to the ones google uses? So far following these instructions isn't working.

I found the answer to my problems.  My emby server is now behind cloudflare and all remote connects must be via https. It took some tinkering but its now working.

Link to comment
Share on other sites

  • 3 weeks later...
JulesC

@@MikeB111 thank you for the two excellent resources. I've completed the Domain Name, DNS entries on Google Domains and I've created the SSL cert. Now, to tackle the Reverse Proxy.  Thanks again!!!

Edited by JulesC
Link to comment
Share on other sites

Cthalpa

Thanks for this, but there are ways much simpler and easier, perhaps you could also cover these :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...